CVE-2017-5462

Published: 20 April 2017

A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (53.0)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (53.0+build6-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [53.0+build6-0ubuntu0.14.04.1])
nss
Launchpad, Ubuntu, Debian
Upstream
Released (3.28.4, 3.30.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2:3.28.4-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2:3.28.4-0ubuntu0.14.04.1)
Patches:
Upstream: https://hg.mozilla.org/projects/nss/rev/7248d38b76e5
thunderbird
Launchpad, Ubuntu, Debian
Upstream
Released (52.1.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:52.1.1+build1-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:52.1.1+build1-0ubuntu0.14.04.1])